Hacker News new | past | comments | ask | show | jobs | submit login

Good summary, but disappointing reactions from other distros.

Just to add some info: In the past few days a couple of people gathered in Berlin to discuss reproducible builds. There were some people from the distributions quoted that they don't show much interest, so maybe there will be more movement than this article suggests.

My personal take is that I think there are a few more pieces that are needed for really trustworthy software distribution.

I tried to get a grip on that with the idea that we have a chain "upstream repo" - "usptream tarball" - "potentially insecure transport" - "distribution compile" - "package" - "user download".

Reproducible builds basically fix the tarball to package way, but there's a lot more. E.g. how does a repo become a tarball? Who's checking that? And how does user a know he has the same software as user b? (This is mentioned at the end of the article with the comments of Joanna Rutkowska. Others have discussed basically the same ideas under the term "binary transparency".)




Tarball downloads by Debian maintainers are secured using OpenPGP and the uscan tool, there are lots of packages where the upstream doesn't do signatures though.

https://wiki.debian.org/debian/watch#Cryptographic_signature...

The Debian maintainers then sign those tarballs before uploading them to Debian.

Verification of the repo -> tarball process is manually done by some Debian maintainers, not everyone does that though.


Have you taken a look at OBS (openSUSE)? Every package in openSUSE:Factory should have a link or _source script to fetch the archive which is then used for the build, so the source of the source should be transparent.


Ideally, you shouldn't even upload the sources to the OBS manually at all! Just provide a so called "service" file with an instruction hour to fetch the sources (tarball or git), and everything after that will be handled by BuildService.


I use disabled services. The _service auto-run magic always makes me feel iffy (it won't work on my local machine for some reason, for example).


Sadly once one start down that road on find oneself deep down a endless rabbit hole before one know it.




Applications are open for YC Summer 2021

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: